Recovering from trojan / virus attacks

  • Thread starter Thread starter Barbara
  • Start date Start date
B

Barbara

Hello - I am attempting to recover from virus attacks that
got through my virus sw.

Please excuse these questions if they are really "dumb".
I am doing the debug and fix process myself for the first
time and my terminology and knowledge are still deficient.

I have finally found an excellent book that walks me
through many of the issues and how to research and resolve
them, but it does not cover everything I need to do.

1) I have identified an open port.
Is there a way to "close" it ?

2) I have identified some bad files that were being
pointed to by 2 register values,
MSCORE
MicrosoftValue

I have effectively disabled them but am trying to
determine their previous values. I have a "used" machine
that was set-up by someone else.
I do not have a new boot disk, etc.

I am not planning on blindly making the changes suggested,
but would like ideas as to how to determine the answers.

Thanks ! Barbara
 
Barbara-

1. What open port did you identify? Remember, identifying an open port
isn't a big deal. There are several ports open by default. You want to
determine if the port you found open is significant (for instance, if you
found a port open that is the default port used by SubSeven or another
trojan). Some ports can be closed - it depends on which port. Some ports
can be closed because they are opened as part of a system service that can
be disabled. Others can be closed because they are there due to software
running at startup. However, with some ports.. the only way to "close" them
is to make them unavailable to outside computers using a firewall or IPSEC,
etc.

2. So you've identified a couple of items in the registry that were being
referenced - presumably on startup and in the RUN key. If you are unsure if
these are needed, just export the entire RUN key to a file (run-backup.reg).
Then, delete those entries. Watch the computer for a couple of days and
confirm that everything is operating regularly. If not, you can always
import that .reg file by double-clicking it or importing it.

As far as determining the previous registry values... most likely, the
values didn't exist. When dealing with malware (trojans, etc.), most create
new DWORDS or other registry entries. Again, MOST OF THE TIME. Every once
in a while, you'll find a registry entry modified. But for the most part,
malware creates new registry entries and these usually exist in the areas of
the registry that control system startup (the most popular being the RUN key
at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Continue doing what your doing. You are on the right track. Search Google
for the registry values to determine more information about them. Also
utilize the anti-virus vendor sites for removal instructions, etc.

BS
 
Thank you for the info you shared.
I will continue to pursue these items.

Thasnk! Barbara
 
Back
Top